California’s new in-browser opt-out is law. Here’s the 20-minute play to get ready.

Data Governance
Written By Shayne Adler

California just signed the Opt Me Out Act (AB 566). By Jan 1, 2027, browsers must include a built-in opt-out preference signal, so people can send a single, one-click “don’t sell/share” choice from the browser itself. Covered businesses still have to honor opt-out signals today, but this change will make signals common and visible. Translation for operators: treat browser signals as default, not edge cases. Ship proof that your stack honors them.

What this means for your promises and your stack

Users will expect “set once, protected everywhere.” The CPPA framed AB 566 as filling the gap between rights on paper and rights in practice. If your tags or server-side events still fire when a browser sends an opt-out, you will feel it with buyers and, later, with regulators. Start small: map where signals arrive, where they could be dropped, and how you prove the right thing happened.

A simple 20-minute play you can run this week

  1. Map the paths: pixel, tag manager, server events/CAPI, SDKs. Write one line per path.

  2. Gate everything on consent: no consent or an opt-out signal means 0 tags/events until allowed.

  3. Record the choice: store time, source (browser OOPS/GPC), and scope.

  4. Pass the choice: send it to vendors by API or webhook and keep their acknowledgement.

  5. Align words to deeds: update your policy and cookie copy so it matches behavior.

  6. Save one proof per step: a HAR file or screenshot for tags, a log for server events, a ticket or API response for vendors. Put them in a weekly Proof folder.

  7. SLA the rest: set a 45-day clock for deletion/opt-out fulfillment and log completions.

What to monitor next quarter

  • Signal rate: how often you receive OOPS/GPC.

  • Leak checks: any tag/vendor that activates without allowed consent.

  • Vendor gaps: partners that cannot ingest choices. Add rules or swap.

  • Words drift: confirm policy and UI still match the build after each deploy.

  • Mobile web: track CPPA updates on how browsers apply OOPS on mobile.

FAQs

Is honoring signals new?
No, California already expects covered businesses to honor valid signals. The new part forces browsers to ship a built-in opt-out, which will raise usage.

Do we need a new CMP?
Not always. Most stacks can gate tags and server events now.

Will this hurt measurement?
Some. Trust rises when signals stick. Buyers notice.

Actionable takeaways

  • Treat browser opt-out as default input.

  • Gate tags and server events, then save one proof per step.

  • Keep words and behavior in sync.

Adapt this to your context. If you want a quick sanity check on your map and proofs, contact us and we can walk it together.

Shayne Adler
Next

Meta will use AI-chat data for ads. Keep your consent story intact.